nichts/nyx/modules/options/system/networking/nftables.nix

{lib, ...}: let
  inherit (lib) mkTable mkPrerouteChain mkForwardChain mkOutputChain mkInputChain mkPostrouteChain mkIngressChain;
in {
  options.networking.nftables.rules = {
    # man nft(8)
    netdev = mkTable "netdev address family netfilter table" {
      filter.ingress = mkIngressChain "netdev";
    };

    bridge = mkTable "bridge address family netfilter table" {
      filter = {
        prerouting = mkPrerouteChain "bridge";
        input = mkInputChain "bridge";
        forward = mkForwardChain "bridge";
        output = mkOutputChain "bridge";
        postrouting = mkPostrouteChain "bridge";
      };
    };

    inet = mkTable "internet (IPv4/IPv6) address family netfilter table" {
      filter = {
        prerouting = mkPrerouteChain "inet";
        input = mkInputChain "inet";
        forward = mkForwardChain "inet";
        output = mkOutputChain "inet";
        postrouting = mkPostrouteChain "inet";
      };

      nat = {
        prerouting = mkPrerouteChain "inet";
        input = mkInputChain "inet";
        output = mkOutputChain "inet";
        postrouting = mkPostrouteChain "inet";
      };
    };

    arp = mkTable "ARP (IPv4) address family netfilter table" {
      filter = {
        input = mkInputChain "arp";
        output = mkOutputChain "arp";
      };
    };

    ip = mkTable "internet (IPv4) address family netfilter table" {
      filter = {
        prerouting = mkPrerouteChain "ip";
        input = mkInputChain "ip";
        forward = mkForwardChain "ip";
        output = mkOutputChain "ip";
        postrouting = mkPostrouteChain "ip";
      };

      nat = {
        prerouting = mkPrerouteChain "ip";
        input = mkInputChain "ip";
        output = mkOutputChain "ip";
        postrouting = mkPostrouteChain "ip";
      };

      route.output = mkForwardChain "ip";
    };

    ip6 = mkTable "internet (IPv6) address family netfilter table" {
      filter = {
        prerouting = mkPrerouteChain "ip6";
        input = mkInputChain "ip6";
        forward = mkForwardChain "ip6";
        output = mkOutputChain "ip6";
        postrouting = mkPostrouteChain "ip6";
      };

      nat = {
        prerouting = mkPrerouteChain "ip6";
        input = mkInputChain "ip6";
        output = mkOutputChain "ip6";
        postrouting = mkPostrouteChain "ip6";
      };

      route.output = mkForwardChain "ip6";
    };
  };
}
added stuff 2024-04-09 23:11:33 +02:00			`{lib, ...}: let`
			`inherit (lib) mkTable mkPrerouteChain mkForwardChain mkOutputChain mkInputChain mkPostrouteChain mkIngressChain;`
			`in {`
			`options.networking.nftables.rules = {`
			`# man nft(8)`
			`netdev = mkTable "netdev address family netfilter table" {`
			`filter.ingress = mkIngressChain "netdev";`
			`};`

			`bridge = mkTable "bridge address family netfilter table" {`
			`filter = {`
			`prerouting = mkPrerouteChain "bridge";`
			`input = mkInputChain "bridge";`
			`forward = mkForwardChain "bridge";`
			`output = mkOutputChain "bridge";`
			`postrouting = mkPostrouteChain "bridge";`
			`};`
			`};`

			`inet = mkTable "internet (IPv4/IPv6) address family netfilter table" {`
			`filter = {`
			`prerouting = mkPrerouteChain "inet";`
			`input = mkInputChain "inet";`
			`forward = mkForwardChain "inet";`
			`output = mkOutputChain "inet";`
			`postrouting = mkPostrouteChain "inet";`
			`};`

			`nat = {`
			`prerouting = mkPrerouteChain "inet";`
			`input = mkInputChain "inet";`
			`output = mkOutputChain "inet";`
			`postrouting = mkPostrouteChain "inet";`
			`};`
			`};`

			`arp = mkTable "ARP (IPv4) address family netfilter table" {`
			`filter = {`
			`input = mkInputChain "arp";`
			`output = mkOutputChain "arp";`
			`};`
			`};`

			`ip = mkTable "internet (IPv4) address family netfilter table" {`
			`filter = {`
			`prerouting = mkPrerouteChain "ip";`
			`input = mkInputChain "ip";`
			`forward = mkForwardChain "ip";`
			`output = mkOutputChain "ip";`
			`postrouting = mkPostrouteChain "ip";`
			`};`

			`nat = {`
			`prerouting = mkPrerouteChain "ip";`
			`input = mkInputChain "ip";`
			`output = mkOutputChain "ip";`
			`postrouting = mkPostrouteChain "ip";`
			`};`

			`route.output = mkForwardChain "ip";`
			`};`

			`ip6 = mkTable "internet (IPv6) address family netfilter table" {`
			`filter = {`
			`prerouting = mkPrerouteChain "ip6";`
			`input = mkInputChain "ip6";`
			`forward = mkForwardChain "ip6";`
			`output = mkOutputChain "ip6";`
			`postrouting = mkPostrouteChain "ip6";`
			`};`

			`nat = {`
			`prerouting = mkPrerouteChain "ip6";`
			`input = mkInputChain "ip6";`
			`output = mkOutputChain "ip6";`
			`postrouting = mkPostrouteChain "ip6";`
			`};`

			`route.output = mkForwardChain "ip6";`
			`};`
			`};`
			`}`